How to get xml data from .pcap and .cap files.

anjambha · ‎01-16-2018

Hi..
I am using Splunk Stream app to read pcap files which contains both binary and xml data.
After configuring pcap input, i can see some data in the splunk but not the xml data and i am more interesting in the xml data. Can anyone please help me to get the xml data from pcap files.

Thanks in advance !!

Sample data:

\D4ò\A1\00\00\00\00\00\00\00\00\00\00\FF\FF\00\00\00\00\00\ED\AB=Z'\00\F3\00\00\00\F3\00\00\00\FF\FF\FF\FF\FF\FF\FE\B5\BC9\00E\00\00\E5{1\00\00\80*\84\AC\AC\FF\00\8A\00\8A\00ѕ5
\FF\84\AC\00\8A\00\BB\00\00 EDEBFCEMEGEPFCEDEFCNEEEDDBCACACA\00 EDEBFCEMEGEPFCEDEFCACACACACACABN\00\FFSMB%\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00!\00\00\00\00\00\00\00\00\00\E8\00\00\00\00\00\00\00\00!\00V\00\00\00\00\00\002\00\MAILSLOT\BROWSE\00\00\80\FC
\00CARLFORCE-DC1\00\00\00+\80\00U\AA\00\EE\AB=Z\B6B\00\F3\00\00\00\F3\00\00\00\FF\FF\FF\FF\FF\FF\FE\B5\BC9\00E\00\00\E5{1\00\00\80*\84\AC\AC\FF\00\8A\00\8A\00ъ\C8
\FF\84\AC\00\8A\00\BB\00\00 EDEBFCEMEGEPFCEDEFCNEEEDDBCACACA\00 EDEBFCEMEGEPFCEDEFCACACACACACABN\00\FFSMB%\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00!\00\00\00\00\00\00\00\00\00\E8\00\00\00\00\00\00\00\00!\00V\00\00\00\00\00\002\00\MAILSLOT\BROWSE\00\00\80\FC
<name>Berry-Berry Belgian Waffles</name>
    <price>$8.95</price>
    <description>
    Belgian waffles covered with assorted fresh berries and whipped cream
    </description>
    <calories>900</calories>
\D4ò\A1\00\00\00\00\00\00\00\00\00\00\FF\FF\00\00\00\00\00\ED\AB=Z'\00\F3\00\00\00\F3\00\00\00\FF\FF\FF\FF\FF\FF\FE\B5\BC9\00E\00\00\E5{1\00\00\80*\84\AC\AC\FF\00\8A\00\8A\00ѕ5
\FF\84\AC\00\8A\00\BB\00\00 EDEBFCEMEGEPFCEDEFCNEEEDDBCACACA\00 EDEBFCEMEGEPFCEDEFCACACACACACABN\00\FFSMB%\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00!\00\00\00\00\00\00\00\00\00\E8\00\00\00\00\00\00\00\00!\00V\00\00\00\00\00\002\00\MAILSLOT\BROWSE\00\00\80\FC
\00CARLFORCE-DC1\00\00\00+\80\00U\AA\00\EE\AB=Z\B6B\00\F3\00\00\00\F3\00\00\00\FF\FF\FF\FF\FF\FF\FE\B5\BC9\00E\00\00\E5{1\00\00\80*\84\AC\AC\FF\00\8A\00\8A\00ъ\C8
\FF\84\AC\00\8A\00\BB\00\00 EDEBFCEMEGEPFCEDEFCNEEEDDBCACACA\00 EDEBFCEMEGEPFCEDEFCACACACACACABN\00\FFSMB%\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00!\00\00\00\00\00\00\00\00\00\E8\00\00\00\00\00\00\00\00!\00V\00\00\00\00\00\002\00\MAILSLOT\BROWSE\00\00\80\FC

How to get xml data from .pcap and .cap files.

Why getting timeout error while adding data to the Splunk cloud index from REST API?

Is there something different you have to do for a HF-HF-INDEXER than a UF-HF-INDEXER?

How to write query for including non business hours and weekends